graphql-platform: Nested Authorized Directive does not evaluate

Describe the bug Give the following schema

public class RootQuery : ObjectType<Query>
{
    descriptor.Field(f => f.GetViewerAsync( default, default, default))
                .Type<UserProfileGraph>()
                .Authorize();  //Getting UserProfileGraph requires Authentication
}

public partial class UserProfileGraph : ObjectGraphType<UserProfile>
{
        protected override void Configure(IObjectTypeDescriptor<UserProfile> descriptor)
        {
            base.Configure(descriptor);
            
            descriptor.Field<UserProfileGraphModel>(f => f.GetUserClaims(default, default))
                .Type<NonNullType<ListType<ClaimGraph>>>()
                 .Authorize(roles:"Admin" );   // this field requires Admin Policy 
       }
}

To Reproduce Outer field only requires Authorization Inner field requires specific Role

Only Outer Policy gets triggered, Inner field is already authorized so it skips authorization check.

Inner field passes security check and allows me to execute it without Admin Policy being checked

Expected behavior Authorize Policies should stack , or at the very least evaluate always.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (18 by maintainers)

Most upvoted comments

Why are you including it?

With include you essentially tell the type to infer the field … then you are trying to declare the same field explicitly. This is why it fails… your declaration is ignored since you included it first.

+1
michaelstaib on Oct 9, 2019

Added directive middleware into the test and it still performs as expected.

https://github.com/ChilliCream/hotchocolate/commit/8ad68e5856cda441fd948863321a01aeef18cc86

I will wait for your repro.

+1
michaelstaib on Oct 8, 2019
Read more comments on GitHub
← graphql-platform: Missing optional value in input type throws exception
graphql-platform: Overfetching problem when querying related entities and using intermediary projections →